Biometric Security Vendor Exposes Fingerprints, Face Data

A biometric fingerprint reader at a government building in Brazil (Photo: Rachmaninoff via Wikimedia Commons/CC)

A South Korean company that makes a biometric access control platform exposed fingerprint records, facial recognition data and personal information after failing to secure an Elasticsearch database, security researchers say.

Suprema, which develops an access control platform called BioStar 2, left 23GB of data, including 27.8 million records, open on the internet, according to vpnMentor, a VPN reviews website. The platform can be used to manage access to doors and elevators using devices such as smart cards and fingerprint readers.

The database was found by Noam Rotem and Ran Locar, both Israel-based computer security researchers who have a notable record of finding sensitive exposed data.

Rotem and Locar were able to access the Elasticsearch database through a web browser and were able to "manipulate the URL search criteria into exposing huge amounts of data." Also, there was an insecure Kibana interface - a tool for visualizing databases - running on top of Elasticsearch.

vpnMentor published a video showing the kinds of information exposed.

The data belongs to variety of businesses in at least 10 countries, including the U.S., Indonesia, India, Sri Lanka, U.K. UAE, Finland, Turkey, Japan and Germany. vpnMentor named some of the business affected, including co-working spaces, medical product vendors, a plastics recycling firm and a staffing agency.

The researchers report that they had difficulty alerting Suprema to the data exposure, including a German office for the company, which hung up the phone. They eventually reached a Suprema office in France. Suprema was notified on Aug. 7, but the exposure wasn't fixed until Tuesday.

In a statement provided to Information Security Media Group, Suprema says that it's "aware of the reports in the press regarding its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor. The company takes any report of this nature very seriously. It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary. At this stage, it cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date."

No Encryption

Rotem and Locar found a rich data trove that lacked many basic security protections, vpnMentor says. The Elasticsearch database and Kibana interface should have been at minimum password protected and only allowed whitelisted IPs, according to the video.

The database included personal information for employees and unencrypted usernames and passwords. It also included fingerprint data, facial recognition data and photos of faces, records of building entries and exists, employee records, security clearances and mobile device information, vpnMentor reports.

The fingerprint data wasn't hashed, which means it could be copied and used for malicious purposes, vpnMentor says. Client administrative panels, dashboards, back-end controls and permissions were visible as well.

"With this leak, criminal hackers have complete access to admin accounts on BioStar 2," vpnMentor says. "They can use this to take over a high-level account with complete user permissions and security clearances, and make changes to the security settings in an entire network."

Attackers would potentially be able to use the exposed information to change user permissions and lock people out of areas in buildings, vpnMentor says. Also, it claims it would be possible to create new user accounts leveraging the face and fingerprint data to gain access to secure areas.

Impact: To Be Determined

The full scope of the exposure will likely play out over the next few days, including how many people and organizations are affected.

Suprema says it has the most market share of any biometric access control vendor in Europe, the Middle East and Africa. That means the General Data Protection Regulation, the European Union's strict data law, would cover some of the company's customers.

Under GDPR, companies can be fined &euro 20 million or up to four percent of annual revenue, which ever is greater, for severe breaches.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;